Dimo's Quest password recovery

Anything relating to CD-i can be discussed in this forum. From the multiple hardware iterations of the system to the sofware including games, reference, music and Video CDs. Maybe you hold an interest in Philips Media and the many development houses set up to cater for CD-i if so then this is the forum.
Post Reply
User avatar
cdifan
CD-i Emulator Author
Posts: 898
Joined: Fri Jun 24, 2005 6:19 am
Location: The Netherlands
Contact:

Dimo's Quest password recovery

Post by cdifan » Fri Sep 01, 2017 3:13 am

It appears that the pressed Dimo's Quest does not have a cheat mode.

From the Decoding CD-i audio files thread:
Shikotei wrote:
Thu Aug 31, 2017 1:41 pm
cdifan wrote:
Wed Aug 30, 2017 10:23 pm
.. no cheat mode ..
Aww. Dimo is one of the best games out there, but with the randomly generated passwords it's only really playable with a fully working (no dead TimeKeeper) console.
Leaving the CD-i on for days is not something I'd advise.
But look what I cooked up by reverse-engineering the password generator code:

Code: Select all

C:\Tmp>dimopass
Usage: dimopass PASSWORD ...
Function: Calculates Dimo's Quest level passwords from samples
Written by CD-i Fan <cdifan@gmail.com>

Code: Select all

C:\Tmp>dimopass.exe QAPUDUNE GUGIKENE
Too many possibilities, provide more PASSWORD samples!

Code: Select all

C:\Tmp>dimopass.exe QAPUDUNE GUGIKENE BEDYZIKU
02: QAPUDUNE
03: GUGIKENE
04: BEDYZIKU
05: PYTOFERA
06: CUGUMEJU
07: COCEXUZY
08: ZIZYFEFU
09: KOZYKUKE
10: RUFOJELU
11: LUKEDULI
12: VYPIGALY
13: WYNIHEHI
14: BEZIBAGO
15: HIQICEGU
16: MAJEWICY
17: JAPIPIZO
18: CEHIBAMI
19: QOMAGEPY
20: DEVIDIMU
21: HOBEMUSU
22: HIKUDYDI
23: SEQEDEPE
24: FECIZYGU
25: BIRALEWY
26: BYPOJYDA
27: DEVILEKA
28: QAJUKUCI
29: CUXEFOZI
30: KIPYPUZE
31: HUHIQYCI
32: GAHENYHE
33: HIDITURO
34: FESAJAGA
35: DUCUHESA
36: MIZIJADI
37: LISAKOCO
38: WEBOTULE
39: DIMITUJI
40: BYVIWANY
41: WYFOLYNU
42: CIMUNYPO
43: FEHAMABU
44: CAVIKILI
45: DEHYCEXU
46: CICEBIHI
47: GIREBYHE
48: GAKIGIQU
49: PIDEBILE
50: ROLUHYSI
51: KYHIZAVE
Dimo's Quest generates the complete password list from a single 4-byte random value that is stored in NVRAM.
I've known this for years and wondered if a few passwords leak enough info to allow reconstruction of that random value?
It turns out that the answer is yes; the minimum required number of passwords seems to be three.

So you can play the first few (usually three) levels and use those passwords to generate a full password list.
This should answer all concerns about full playability of Dimo's Quest without a working NVRAM.

NB. It is also possible to use CD-i Link and a CD-i null-modem cable to save the NVRAM file before turning off the player, and restoring it after turning the player back on. This has the advantage of restoring your highscores as well...

User avatar
cdifan
CD-i Emulator Author
Posts: 898
Joined: Fri Jun 24, 2005 6:19 am
Location: The Netherlands
Contact:

Re: Dimo's Quest password recovery

Post by cdifan » Fri Sep 01, 2017 8:40 pm

Here are some comment from the sources of dimopass:
cdifan wrote:
Motivation and basic algorithm.

The Dimo's Quest CD-i title issues level passwords after each completed level.
By entering this password, the user can start directly at the next level.

The list of passwords is different for each CD-i player, because
it is generated from a 32-bit random number stored in the first four
bytes of the NVRAM file "Dimos_quest". When this file is first created
the random number is generated based on the current time,
which in practice means that it is unique for each CD-i player.

If the CD-i player has an empty NVRAM battery, all NVRAM contents
will be lost each time the player loses power. The effect is that
all previously issued level passwords become useless.

The level password generation algorithm leaks enough information
that a few passwords are enough to uniquely determine the random
number and thus the full set of generated level passwords.
In practice it seems that three full passwords are exactly enough
to uniquely determine the full set.

What this means is that after losing NVRAM, the user can just
play the first three levels (which are easy) and then use this
program to generate the full level password set. By entering the
appropriate level password, any level can then be reached.

Each password has 8 characters, consisting of 4 consonant-vowel pairs.
Dimo's Quest generates the 50 * 8 = 400 characters of these passwords
as a single run of 200 pairs.

Each pair is generated from 8 bits of a 16-bit random number half,
which means that it determines some possible values for those 8 bits.
The generation algorithm used implies that each pair determines
from 1 to 4 possible values for those bits.

The random number iteration algorithm uses a 32-bit random number,
but 16 bits of these are always equal to the other 16 bits of the
32-bit random number from the previous iteration.

This means that the first two pairs determine from 1 to 16 possible
values for 16 bits of the 32-bit random number. The remaining number
of values is at most 16 * 2^16 = 2^20 which is small enough
that just iterating over those and matching the generated pairs
against the specified pairs is fast enough to be feasible.
The full source and a Windows executable can be downloaded here: http://www.cdiemu.org/download/dimopass.zip.

Arethius_RGC
Burn:Cycle Activated
Posts: 38
Joined: Mon Jun 25, 2012 2:33 pm

Re: Dimo's Quest password recovery

Post by Arethius_RGC » Wed Nov 15, 2017 10:38 am

cdifan wrote:
Fri Sep 01, 2017 3:13 am
NB. It is also possible to use CD-i Link and a CD-i null-modem cable to save the NVRAM file before turning off the player, and restoring it after turning the player back on. This has the advantage of restoring your highscores as well...
That's interesting. How do you do that ?

User avatar
cdifan
CD-i Emulator Author
Posts: 898
Joined: Fri Jun 24, 2005 6:19 am
Location: The Netherlands
Contact:

Re: Dimo's Quest password recovery

Post by cdifan » Wed Nov 15, 2017 10:45 pm

Arethius_RGC wrote:
Wed Nov 15, 2017 10:38 am
That's interesting. How do you do that ?
Part of an example of a CD-i Link session from the cdilink.txt file (included in the download):
cdilink.txt wrote:

Code: Select all

	cdilink -k                      Download cdistub and keep it active
	
	cdilink -c -b 19200             Continue by changing baudrate
	
	cdilink -c -dir /nvr            List contents of NVRAM
	
	cdilink -c -ucopy /nvr/HISCORE  Uploads HISCORE file to PC
	
	cdilink -c -del /nvr/HISCORE    Deletes HISCORE file from NVRAM

	cdilink -c -e                   Ends stub program

Post Reply